Speaking after the Government announced the loss of 25m child benefit records, Dr Jon Hall, Senior Lecturer and leading researcher in Information Security at The Open University, believes that the event is the tip of an iceberg and points to a "systematic security risks in many more organisations."

Dr Hall said: "Only a very small proportion of information security breaches are malicious, more than 70% of all breaches are caused accidentally or inadvertently by ordinary staff in organisations. Malicious attackers often exploit this fact to do harm.

"Security breaches are much more likely to arise because people are not aware of the importance of the information they handle or because they assume security is someone else’s responsibility.

"Most major organisations in both the public and private sector have appointed very senior people, usually IT specialists, to be responsible for information security. But experience at The Open University, which runs specialist courses in Information Security as part of it MSc Programme, suggests that many organisations could do much more to help ordinary employees to be much more aware of how they can play a role.”Dr Hall points to a tendency to rely on technology as the best way ensure information security.

"If most breaches are caused by people, then surely the priority should be to cascade training on information security to many more people at every level of an organisation than is currently done.

"Information security is often seen as a specialist branch of management, but ideally, every manager should be an information security manager in relation to the work of their own department and team, and every employee should understand the importance of their own role."

The Open University’s course on Information Security Management places considerable emphasis on helping managers to better understand how training, job design, and the organisation of the work environment can contribute to helping employees be more alert to risks and vulnerabilities.

The Open University also has an active research programme called 'Security Requirements Engineering' which seeks to understand the assets that require protection, even lowly CDs, and the threats to those assets.

"By balancing technology management with people management, we help organisations to develop the capacity to meet British and International Standard for information security management and reduce the risk of such major breaches happening again", said Dr Hall.

Editor’s Notes

The Computing Department is part of the Faculty of Mathematics, Computing and Technology. The main interests for both teaching and research include software engineering and security and human-computer interaction, both of which contribute to developing improved information security.

Information Security and Management (M886) provides masters-level education for people responsible for managing information security in organisations of any size. The course lasts approximately six months and students are tutored by information security professionals, as well as academics. Many employers pay for staff to take the course, using it to develop an Information Security Management System tailored to their organisation.

The Computing Department is leading a joint £1.25m government funded research project, with partners at Imperial College London, developing approaches to protecting privacy in an environment where computers are small, mobile and ubiquitous.